Martin Hinton (00:05)
Hi, and welcome to the Cyber Insurance News and Information Podcast. Today we've got a really fascinating guest, ⁓ Kurtis Minder. He is a technologist, cybersecurity expert, ransomware. He's been at this stuff since the 90s. He's worked at everything from AT &T, the startups. Most recently he founded and then departed from GroupSense when it was sold. And he's also the author of a book, Cyber Recon. And I just want to read the...

and I'm gonna look at my notes to get it right. Cyber recon, my life in cyber espionage and ransomware negotiation. So Kurtis, it's wonderful to have you and I think that tips us right off. Before we dive into the ransomware negotiation stuff, tell me a little bit about your career, how you got to this point and how you became interested in, I guess, technology broadly. How did it all start for you?

Kurtis Minder (00:59)
I mean, I almost, I think the very beginning is the only part of my career that wasn't like an accident. In the very beginning, you know, my dad worked in a factory.

He was packing flour for Pillsbury, the doughboy company, right? And when I visited him when I was a kid, he was in this loud building with these huge earmuffs on and there's flour powder everywhere and it smelled bad and it wasn't climate control. was like 110 degrees in the summer. Then I went to my mom's work and she worked as an accountant for the state of Illinois. And I don't know what she did exactly, but she sat in a chair and

She typed on a thing and she had a cup of coffee. And I remember as a kid after going to both of those, like the extreme different environments, I was like, whatever that is. So I ⁓ took every keyboarding class, this is before they had computers in school. So they had keyboarding and formatting 101 with an actual typewriter. And ⁓ then I went to Barnes and Noble and ordered books that I couldn't afford to buy. They would deliver them. I wouldn't pick them up. They'd end up on the shelf. Then I'd go read them. I'd probably owe Barnes and Noble some money.

And so I read books on Unix and it was a very deliberate path to get into tech so that I could not work in a factory. That's how I got started.

Martin Hinton (02:17)
So you were one of the very early people to hack Barnes and Noble, it sounds like, pre-internet days,

Kurtis Minder (02:21)
I at least hacked

their system a bit, and how they order books, but yes.

Martin Hinton (02:26)
So we've got a few topics to discuss today with ransomware, cybersecurity broadly, cyber resilience, how cyber insurance impacts ⁓ the ransomware negotiation space. And then you've written a few pieces on your website, ⁓ which people can see right there. And some of them get into sort of really big things stuff about the state of ⁓ nation state threats and the idea that we might already be in World War III.

⁓ And we'll get to that later, but that's a little tease for the audience. So let's dive in. Ransomware negotiation. Can you give me an idea of how it starts for someone in your situation? Like what's the first notice you get from a client or maybe it's someone you don't know? How does it all begin?

Kurtis Minder (03:10)
Well, like anything, depends on on whom the victim is, I think how I get involved, but.

For the cases that we did at GroupSense, we were typically brought in by either a law firm that had a breach practice, fairly large law firms, usually global law firms, or a cyber insurer. And the first engagement with the client, also very different based on the size of the victim, right? So for the clients that came in through GroupSense, which were quite large, they are...

⁓ It's a boardroom full of people. I'm on a Zoom typically, like not there in person. I'm on this big screen on the wall and you've got your CEO and CFO and internal and external counsel and somebody from the technical staff and it's a room full of people. And we typically start off by taking inventory of where we are in the incident response plan. And also me getting an idea of like, have you engaged? Please know.

⁓ But if you have what has happened so far and that's how it starts on the smaller end. So I do a lot of ⁓ Sort of pro bono work For small businesses and so that's very different. You can imagine instead of having a boardroom full of people It's it's Mary's accounting firm in Des Moines and she's you know She's got eight employees that she's gonna have to lay off if we don't solve this by Wednesday It's a very different scenario and it's and I will say though in both cases Martin it's ⁓

It is heartbreaking and stressful and also you end up sort of becoming a de facto therapist for the victim.

Martin Hinton (04:45)
You, you, so, so, you know, that's a good point. Let's, let's, you mentioned when we spoke before that, that sort of empathy and the human factor is really important. And I, you know, we've all seen movies where it's maybe a hostage negotiation or a ransomware negotiation and there's stress and music. And maybe you've read books about that or there's the book by FBI profilers and that sort of thing. That part of it strikes me as something that people might.

think doesn't exist because we're so detached from the reality of how all our tech works and the ones and zeros. I I use

Kurtis Minder (05:18)
Right.

Martin Hinton (05:19)
this line with some regularity. list of things that would exist if I would, wouldn't, excuse me, the list of things that wouldn't exist if I was the only person left is as long as any lists ever been. And most of it's got ones and zeros involved with it. Do you think that it's important to remember that? Like tell me about that part of it. Go into that a little more. Cause one of the things that I think important for our audience is to understand that

Kurtis Minder (05:30)
Right, right.

Martin Hinton (05:40)
There's a real human factor in all this sort of thing. There's guilt and blame and fear and like you said, you know, laying people off and letting people down or the business being disrupted and that sort of thing. Tell me somewhere about that.

Kurtis Minder (05:52)
Sure.

Well, I think you make a good point. mean, I think it's just going to increasingly be the case that it's easy to dehumanize sort of the situations we end up in because of technology. think it adds a sort of complex layer of abstraction to ⁓ our real lives. And it's not just on the victim side. I think it's also important to understand that our adversaries or our opponents are also humans. And ⁓ they have motivations and needs and

and they have egos and all of those things. And I think something that we do a lot in cybersecurity in general, which I've been doing some version of that for 30 years, is we dehumanize our opponent. ⁓ they are people. They have a reason for what they're doing, whether we agree with it or not. And the lens that they may see the world through, they may see this as completely justified. And that changes how you interface with them. That changes how you talk to them.

Martin Hinton (06:47)
You make a really good point. There's a really, really good book called Achilles in Vietnam. And it's written by a psychiatrist who treated Vietnam veterans with PTSD. And one of the elements of the book is that dehumanizing exacerbates the chance of mental health issues following conflict. But it also makes you ⁓ less likely to win, very simply put, because you underestimate. And that's a classic failure in any kind of conflict situation is underestimating and not

Kurtis Minder (07:08)
Right.

Martin Hinton (07:15)
having an understanding of your enemy. It's funny, I often think of the word empathy as often viewed too softly and empathy is really trying to put yourself in someone else's shoes so that you can appreciate where they see things. And in an adversarial situation, that creates advantage. ⁓ So you touched on the cyber criminals, the bad actors, these phrases get tossed around. When you deal with them, how does that manifest yourself in a literal way? How do you actually communicate?

Kurtis Minder (07:30)
Yes.

It varies, but for the most part, the majority of the cases, if I'm interfacing with a threat actor in a ransomware case, it's through the dark web. So they'll, they'll, they'll leave behind a ransom note to the victim on the note. ⁓ I think one thing that's important for people who aren't familiar, the ransom note never actually contains the ransom amount. So you don't know as a victim, you don't know how much they're asking for until you talk to them.

And that's an important thing to know because it is a very important decision point. Do you talk to them just to find out how much they're to ask? Are they going to ask for five bucks or five million? You don't know. Right. So, uh, but on that ransom note, they will, they'll have very specific instructions on how to get on the dark web and how to contact them. And usually it's a dark web website looks kind of like a normal website, except the URLs, you know, the website address is very funky. And then, uh, it's specific to your instance. So.

That website exists solely for you. And when you go there, there'll be a box that's basically a chat window embedded in the browser. And that's where most of the dark web conversations happen with the threat actors. There are cases where we talk to them over anonymous email. There are cases where we talk to them over point to point communications like talks or jabber or something like that. But most of the time it's on one of these dark web embedded chat rooms.

Martin Hinton (09:05)
So one of the things you touched on is that there's a lot of misconception about this sort of how this all unfolds in the media and it gets, I don't know what, I forget what word you used, but that idea that there is a sort of, I mean, it's a tech, it sounds like a tech space conversation in the simplest form.

Kurtis Minder (09:22)
It feels a lot like an ⁓ SMS or like a iMessages conversation. Yeah.

Martin Hinton (09:28)
And when you, does it come, again, I'm just trying to imagine it, it, send a message and then you wait for a reply depending on where they are geographically or is it, do you get replies instantly or I guess it must vary a great deal, but is it a mixed bag of how fast these sort of communications flow back and forth?

Kurtis Minder (09:48)
It's a mixed bag, but that's

really informed question because that's one of the things that I talk to the victims about. Obviously, having done I don't know how many hundreds of these over the last six or seven years, I think I have a rough idea of how each threat actor group is going to behave if I know them and I know many of them. So I can set those expectations. But one of the things that I tell the victim is that this incident is the most important thing in the world to you.

Not to the bad guys. They have multiple victims. They're not on the hook for anything, frankly. They can go, they can decide to take a vacation. We've had bad guys do that, say, hey, it's Friday afternoon. We'll talk to you on Monday. We're going to the lake. They've done that. And so that's something that the victim has to understand is that, your expectation that they're going to immediately respond to anything you're going to say is, is, it's not, it's not warranted at all. And, and, most of the time they've got the larger groups will have a group working in shifts to

to talk to the victims in our time zones. There are also a lot of cases where if the victim can afford it, we will purposefully time those messages and create a certain cadence to them on purpose as part of the strategy.

Martin Hinton (11:03)
So you touched on two things just now that I think are betrayed by when you ask ChatGPT for the image of a hacker and you get a hoodie wearing, you know, well, I guess teenagers, they could very well be teenagers, but the ransomware note comes with instructions and they're highly organized, right? So they know that they might be trying to get money and extract the ransom for people who don't understand the dark web or technology at the same level as them.

So they want to remove the friction with regard to the quote unquote purchase. And then also they take weekends off or work in shifts or they understand that not everyone's on the same time zone and you have to sort of overlap your shifts. I mean, that suggests to me that what I've been told by several people is that this is highly organized activity. It's not some sort of willy nilly kind of outfit that you're dealing with generally.

Kurtis Minder (11:58)
I mean, there are willy-nilly outfits ⁓ for sure, but most of the ransomware groups are pretty organized and they function a lot like a business. have, you know, middle management and water cooler conversations and, you know, they have bonuses and quotas and all of the things that you would expect from a business.

Martin Hinton (12:16)
But again, mean, the water cooler, right? It's in every office, I suppose. So when you get these, when you get these, know, one of the things that, everyone watching this, even people who aren't in the cyber security space have heard the phrase ransomware. I guess it rings a bell because it's got the word ransom in it. ⁓ Why is it ransomware, not just ransom? Where does that, do have any idea of the etymology of that?

Kurtis Minder (12:22)
Right?

I guess I don't know if that's funny. I don't think I've actually looked up the etymology of that word, but I do understand because it is software. So the original version of this is a form of malware or software, malicious software that is designed to facilitate a ransom. So I could see where they just kind of Voltron, I don't know if anybody's gonna get that, Voltron those two words together to make ransomware. So it did make sense. I will say that.

Martin Hinton (12:46)
Yeah.

Kurtis Minder (13:08)
There are a fair number of groups now that are solely focused on extortion. They don't actually deploy that software. They just steal data and then use it to extort the victims, which is, they still call that ransomware, but it's sort of a misuse, I guess, of the term at this point. It's sort of, it's taken a bigger meaning. Yeah.

Martin Hinton (13:24)
So that gets me to my next question is there's the exfiltration of data and the encryption of data. These are two separate sort of tactics within what's now broadly called ransomware. What changes in that situation? Is one of those, I don't know, worse, easier to deal with? there a, from the victim side and the side working for the victim, what changes with regard to those two different ⁓ types of things?

Kurtis Minder (13:52)
Yeah, I mean, it's kind of a double extortion. It's almost like a little bit of insurance for the ransomware actors because if, for example, they have not done a good enough job of disrupting the backups or recovery processes of the victim, if they just deployed the ransomware, the people just recover and never pay the ransom. However, if they also took all of this critical data before they did that, and that data includes employees, personal information, healthcare information, or

know, critical contracts, intellectual property, ⁓ email conversations that might be found embarrassing or disruptive to someone's family or life or business. All of those things are a lot of leverage. And so they've got a second card to play ⁓ if the ransomware itself is not enough to get the victim to pay. It's subjective, you know, on whether which one's worse. mean, it depends on the business and the operational impact and so on. But they're both bad. I can tell you that.

Martin Hinton (14:48)
I mean, it sounds to me, the word unique gets overused and misused a lot. it sticking to the actual definition of unique, meaning one of a kind? Is it your experience that fundamentally each ransomware negotiation is unique to itself and the circumstances that any particular organization or company finds themselves in?

Kurtis Minder (15:08)
Certainly the cost equation is unique, I think, for almost every single organization or the impact sort of analysis, the quantitative elements of that are unique. ⁓ The interactions with the threat actors can be quite formulaic, right? Which they have a playbook, I have a playbook, we know each other's playbooks. We still do it.

So, I mean, some of it can be a little bit monotonous for the person who's interfacing with the threat actor.

Martin Hinton (15:41)
So you touched on it a second ago, paying and negotiating. Is it a classic, they start high, you start low and meet in the middle? What effects wear the starting points for what someone's willing to receive or pay? ⁓ How does that evolve over the course of these communications?

Kurtis Minder (16:01)
Yeah, I think this is actually one of the, and when we talk later about sort of the insurance role in this and stuff like that, I think this might come back up, having a professional negotiator is, if you want to drive a better outcome is important. Just having someone raise their hand is like, I'll argue for you. That's not, they might call themselves a negotiator. There are people who practice this science and know what they're doing.

what you just described is a very traditional positional bargaining and a lot of the negotiation transcripts I've seen that don't go well ⁓ start with that. And I think you're going to end up there on every case, nearly every case, you're going to end up with this positional bargaining, but you don't want to go there ⁓ immediately. You want to delay that as long as possible. to answer the first part of your question, which is like, what sets the sort of starting price? ⁓ So first let's,

talk about how the threat actors handle that. ⁓ Most of them will look at business intelligence tools, the same ones that like salespeople would use to sell to a company like, they actually have Zoom info accounts because they send me screenshots of the Zoom info records, right? So they're looking them up in regular old business intelligence tools, the clients, they say, well, your revenue was this and we're taking 5%, right? Something like that. some of them have a system and an equation. ⁓ Unfortunately, they don't.

They're not business people and they don't understand like profit and loss and margin. And so it's like, sometimes you have to explain to them like, hey, that doesn't mean I have that much cash in the bank. That's not what that means. So you have to explain to them. ⁓ But there's also this concept of perceived value that, especially with the data that they, on the extortion side, the data that they've taken, you know, they may overvalue that. And it's our job to tell them, hey, that we agree that that data that you've taken has value.

we think that you've misunderstood what that value is and walk them through that and help them come to their own conclusion to set a more realistic price. And you got to do this several times before you get to the little positional bargaining thing. Otherwise you're going to end up with a crappy number.

Martin Hinton (18:10)
Do you get the sense that if you make an offer over the dark web and I gotta get back to you and they have to go have a chat with their boss about whether it's okay to move to this price point? I mean, does it have that kind of very conventional business negotiation kind of sense to it?

Kurtis Minder (18:28)
It's like the guy at the use cars dealership. Like I gotta go talk to the manager. Yeah. Yeah. They do that. Um, and they, they have, they have floors that, know, the, people you're negotiating with have floors that they can't go below without approval. And so they do have to go to their managers and sometimes we'll notice a switch in the dialect or switch in the English proficiency in the middle of the talk. That means the manager is actually at the keyboard now, right? He's like, move, you know, like, and so that's, uh, like, uh, what is it that the SNL skit?

Nick Burns, the company computer guy. don't know if you've ever seen that one. But Jimmy Fallon plays the move. so yeah, we that does happen pretty regularly, pretty frequently.

Martin Hinton (19:01)
I don't remember that yet.

So you touched on cyber insurance a little bit ago and you touched on things like backups and that sort of thing. Take me through from a company point of view, assuming no one is ⁓ immune from this potential issue, right? Everyone is susceptible, right? If you have an internet connection, it's potential for someone to get in. What are the things that exist? Cyber insurance, backups, routine, what are the things that companies can do that will help?

their negotiating stance in a ransomware situation.

Kurtis Minder (19:41)
Well, there's, mean, there's, there's a standard sort of best practice cybersecurity stack that I think, you know, most, most established companies are applying. Those are not immune to this either. Some of the more advanced EDR technologies like endpoint detection and response, you know, play, play a big role. Segmentation network segmentation, that's more of an architectural thing so that it's more difficult to move between sections of the business. ⁓

I think one of the most powerful tools is it's more of a reference framework than it is a technology is zero trust or least privilege access for everyone. The tighter you lock that down, the smaller impact a threat actor can make in your environment. So those are very powerful. And of course backups and having some, ⁓ know, resiliency to those backups. So one thing about the backups is the threat actors will...

once they gain access, they don't immediately execute these attacks, right? First, they're to steal data. So that takes a while. They're sneaking that data out. While they're doing that, they're sort of casing the network and the business. They want to see, okay, who's in charge, right? Like, when do you do your backups? Where do they go? Which account executes the backups on each machine? Like, which user account does that? And so that they can disrupt those things. And they've gotten quite good at it. You know, people

sometimes come to these meetings overconfident. was like, well, we've got great backups. then they call us back a couple hours later and go like, they're all gone. it happens. The bad guys are good at this.

Martin Hinton (21:13)
So you may.

You touch on something that I think people don't quite appreciate. These are not lightning fast events, right? It's a, what's the Mission Impossible movie where they break into the Kremlin and they make the fake ⁓ hallway sort of image and they slow, you have to create a time period if you're the attacker to be in the space. And what you do then is you observe, you take the data that you're gonna grant some, and then you also observe what defenses they may have within that. ⁓

Kurtis Minder (21:28)
Mm-hmm.

Martin Hinton (21:44)
that you can sort of overcome or minimize with your actions while you're existing in their safe space within their perimeter unnoticed. Is that a layman's way to put it?

Kurtis Minder (21:59)
100 % and what I was going to also add to the technology stack slash sort of preventative measures is just assume that some version of this will happen someday at your organization and plan for that so that I've been in a bunch of these and I can tell you I know who's both either has a plan and has practiced that plan and who has not in the first five minutes. And so the organizations that have a good incident response plan that is ransomware intelligent, that's important because some of the

plans don't work in a ransomware case. They work in other cyber attacks, but not a ransomware case. But then also ⁓ having done tabletop exercises where they've practiced that plan night and day in as far as the outcome, night and day.

Martin Hinton (22:45)
You, yeah, I mean, you, I mean, again, like so much of this, I mean, you referenced the sort of accounting firm with, you know, employees. But the truth is even very large corporations are in some respects of the, even at the C-suite level, detached from the concerns or risks. It certainly seems that way anyway. And the thing I always think is that while all this feels super new, things like segmentation is, that's just.

you know, you've got a big building and your path doesn't get you through every locked door. It only gets you through the locked doors that you're allowed to go to. So that if you want to go somewhere you don't normally go, you have to get special permission so that that movement and that access is noticed. ⁓ You know, I mean, I think that those sorts of things are, you know, in the physical security world, they exist. And that idea that this is just invisible to us, it does create a lot of confusion, but it is...

It's just a new place. And given that we do so much in the digital space, adopting that more aggressive mindset to security is something that is, I mean, again, from my point of view as a journalist, it seems like the level of security that exists in the sense of cyber is pretty poor in general around the world. Do think that's too harsh? I mean, what do you think from your experience?

Kurtis Minder (24:02)
No, no, I don't.

I'm still sort of.

surprised and disappointed because I get pulled in these cases where it's like they, most of these companies could have, could have avoided this or prevented the larger attack in any number of ways. And some of them have invested in, in quite a bit of consulting from, you know, the big five or whomever to help them build their response plans or their, their cyber infrastructure and, and still miss some very basic things. And so it's, it is disappointing. And I don't think it's too harsh at all. I, you know, I think.

at the board level, a lot of these companies, somebody at the board needs to be asking, hey, how seriously are we taking this? And somebody needs to own it.

Martin Hinton (24:46)
Yeah, mean, talk about owning it. I assume you saw that the board of Qantas, the airline in Australia, based in Australia, dinged their CEO pay and a few other executives over the attack, cyber attack they suffered. I haven't had the time to look into, but I couldn't remember another occasion of a large company like that. I mean, they don't do that sort of thing in a lot of ways anyway, nevermind over a cyber attack. So that struck me as something.

Kurtis Minder (24:58)
I did see that.

Martin Hinton (25:13)
You know, you touched on zero trust. And again, I made the analogy to segmenting where your ID card could get you in a physical environment. I the other, I always thought a zero trust, like you wouldn't ever allow employees to, ⁓ I forgot my badge, swipe me in, you know, that kind of thing. That idea that everyone has to have their own key, their own badge, their own access that, and I know it's not, that's oversimplifying it, but that idea is we do this. We know that matters. I mean, the example I use with MFA is if you have an apartment with a

one lock and then a deadbolt. Well, that's two things that need to happen to gain access to your valuable space. again, I think that the point about earlier about sort of a greater level of civilian and general population awareness about how important this is and, know, it's a little more, but that's okay. human beings are pretty good at doing things and it's not that much more. Once you get used to it, it's natural. It just becomes the way you do it. And again, the scale of the problem.

Kurtis Minder (25:49)
Right.

Right. Right. Well, I

have this answer I at conferences when I talk about that, the cyber sort of responsibility of cyber hygiene for citizens, because I do think it's a national security issue. ⁓ And sometimes I'll be asked, well, now we all have to be cyber experts, Kurtis. And the answer is no, just like you don't have to be a doctor to know how not to die. These are very basic things that we can all learn.

It's not rocket science and we're making just silly mistakes on a personal and professional level.

Martin Hinton (26:42)
Yeah, I I, again, I think, you know, it's, mean, listen, I have, I had grandparents who grew up without seat belts or airbags and, you know, I'm old enough that, you know, you didn't, never wore your seatbelt in the back of the car and it was only a lap belt. And the idea that, you know, it takes no time. And it's, it's again, one of those things that if you make it part of your routine, it really doesn't feel like extra, but.

I think for a lot of people it seems a little daunting. mean, particularly when you think about how many passwords we have and how many different standards there are for MFA. Is it going to be a text? Is it going to be a token or whatever it might be? you know, I know a lot of people who are not unintelligent. They are not lazy, but it just feels, you know, a little bit overwhelming in a way that maybe my mom having to reset her VCR once did to her. you touched on it.

Kurtis Minder (27:13)
I'm to

Right, right, I get it, I get it. But it'll come around.

Martin Hinton (27:37)
Yeah, well, I mean, I'm of the opinion it's got to. mean, from a purely economic point of view, the scale of the cost of this is, you know, and maybe it's sustainable. I don't know. But it's depending on the numbers, because the data about just how much is lost to cybercrime is a bit like vapor. I mean, you see a number as high as 10 trillion, 10 and a half trillion. Some people throw that number out and it goes down from there. But it doesn't matter. mean, if you're getting into the T's, it's probably worth paying attention to.

Kurtis Minder (28:06)
Right.

Martin Hinton (28:07)
When it comes to the ransomware situation, just jumping back second, we touched on cyber insurance. Tell me about the role of cyber insurance in this situation. If you arrive, is it one of the first questions you ask a company to see their policy and to understand it? tell me about that.

Kurtis Minder (28:21)
Yeah, certainly. And like I said, sometimes, actually, a lot of the times, cyber insurers are the ones bringing me to the table. So I know the answers to a lot of that. But ⁓ I do think cyber insurance has played a positive role in the risk reduction because, know, years ago, not that long ago, maybe a couple of years ago, you know, you were going to get underwritten for a cyber policy. They sent you a survey that said, do you cybers? And you go, yep, I do. And then they sent it back and they're like, here's your policy. You know, they don't do that anymore. They check, right? They check.

Martin Hinton (28:48)
like a half a page, that's like a

half a page checklist. that was, yeah.

Kurtis Minder (28:53)
Do

you cyber? But yeah, now they do. They check. And I think that's forcing a lot of companies and companies who have better existing programs and or investing in programs get their, their premiums reduced. So I think they're driving better behaviors, you know, as an industry, think on the response side, I think there's, there's been some, some ⁓ challenges where, look, what I do, I get it. Like they're, they're actuaries, right? They're, they do math.

It is highly subjective what I do and there is no litmus test for negotiators, right? And there's no core data set. so what they have is they've got on their panels, they've got incident response firms and or law firms who have raised their hand and said, I can do that too. And the problem with that is some of them can and some of them cannot. so what I've seen is sort of a commoditization of the negotiation component.

⁓ that drives down the sort of the quality of that. And that concerns me, which is why, you know, at GroupSense, we actually launched a training course and we trained our competitors on how to do this better. ⁓ And we trained some of the top IR firms and stuff like that on the science of negotiation. So there wasn't just, you know, somebody went back and read Getting To Yes again, and then suddenly they're an expert. So we taught them. But I still think there's a lot of room to improve there.

Martin Hinton (30:19)
So, I mean, you make a good point about the cyber insurers sort of driving companies to either improve what they've got or add things in general. you know, it reminds me of sort of the, you know, this is a bit of a simplification, but the early days of property and casualty where the joke I make is an insurance company would go to a factory or a warehouse and say, we'd love to insure you, but let me introduce you to my friend Sprinkler system over here. And we'll give you a discount on that. And once you've got that, we'll be able to charge you

an amount you like, and it's also a risk that we're comfortable insuring at that amount. and that was, mean, that business evolved, I guess it was about 100, 120 years ago it started. But that idea that we're in this space where there's in the best scenarios, this almost symbiotic relationship between the cybersecurity and cyber insurance sort of ⁓ cohort. And obviously there are a lot of companies that provide sort of that active insurance, I think is one of the phrases you see used. ⁓ Is there...

You know, when it comes to the ransomware scenario, are there elements to a cyber insurance policy that are must haves or things that companies and individuals watching this might want to check in the wake of listening to this?

Kurtis Minder (31:30)
I mean, the only thing I would say, and I'm not an expert on the policies themselves, but I would say that not enough companies read the fine print of those policies because it's, it's not like, I'm not suggesting that cyber insurance companies are trying to trick anybody, but what I'm saying is in the, the, in the event of an incident, a lot of the policies dictate like timelines and orders of operations of whom you should contact and when, by what time and all of that. And they, lot of the companies don't know that. And it's a,

it's really shitty time for them to start reading that during the incident, right? So they really need to read their policy and understand what the insurance company expects of them in an incident so that they can take the best advantage of the insurances offered.

Martin Hinton (32:12)
Yeah, I mean, and you're talking about things like retaining records of communications and stuff that they might require for you to prove that certain elements of the policy were met and you need to collect that data.

Kurtis Minder (32:25)
But also orders of operations

like, not contact the threat actor until we've been engaged, right? So don't call the insurance company after you've gotten in an argument with the bad guy. Don't do that, right? That kind of thing.

Martin Hinton (32:39)
Yeah. Well, you touched on that and I could tell how important that was when you got involved and you were like, you haven't talked to them, right? Please say no, please say no. mean, that's, you betrayed, we were touched, we began with human emotion. You betrayed the, like the primary concern walking into the room is you haven't touched anything yet, right?

Kurtis Minder (32:57)
Right, right. And often they have. And the problem with that is, is the bad guys don't care if we switch pitchers, right? They can't start, they can't go like, hey, I'm not good at this. Bob's coming now, he's taken over. Can we start over? You know, it's not an Etch A Sketch, right? Whatever you've said, it applies, right? It started a trajectory that is hard to reverse. And so that's difficult when someone has already engaged the threat actor.

Martin Hinton (33:21)
And I can't, I just jumped in my mind now. I can't imagine how many movies I've seen where there's a hostage situation and it starts with some sergeant or a beat cop trying to negotiate and then the real negotiator comes in and he's said something and annoyed the hostage takers and all that sort of thing. Again, the humanity of this is one of the things that matters, right? Whether it's ransomware and all digital and over the dark web or it's in person, the people involved are very similar. They're motivated by the same sorts of things and it's...

It's one of those things that at least I try to do in this space to remind me that as new as all this feels, it's all just people again, like it's just human beings interacting in one way or another. And I guess that's, you know, something to touch on. You mentioned a couple of things that make ransomware, you mentioned a couple of things that make the ransomware negotiation a little better or things like the EDR stuff and that sort of thing. If you're a company listening to this now,

Kurtis Minder (34:06)
100%.

Martin Hinton (34:18)
Are there, is there a checklist of things that you might want to go through or make sure you've got that, you know, I'm still amazed how many, how few companies demand MFA or they allow personal devices or, whatever, or they, know, I mean, again, we've already touched on how poor cyber hygiene is broadly in society. What are some things a company should do to help build their cyber resilience and make them better off in a situation when it hits them?

Kurtis Minder (34:46)
Yeah, I mean, I'm hesitant to start listing off the entire security stack, but I think you mentioned, you know, first identity and access management and MFA everywhere that you can do it. Privilege access management. that's if you need to do something with privilege, that there's a platform that manages who does that and how and what level of access they have and then removes it when they're done and things like that. Those are really powerful tools. think. One of some of the things that are overlooked is, for example, ⁓ and this is more on the licensing side is logging.

So once this event has occurred, when the forensic people show up to try to figure out exactly what happened in what order and do the bad guys still have access and all of that, they need logs. The standard licensing that a lot of companies are buying, for example, for their Microsoft Suite doesn't log enough data. So you have to know the necessary logging levels and things like that. So that's super important for the forensic side of things. And that also plays into one of the biggest mistakes that we see

technical mistakes that we see happen on these cases is, you you come into work and ransomware is affecting your computer. It's not working normal. You can't figure it out. What do you do? Well, you've been kind of conditioned to restart that machine, right? You reboot it. When you reboot it, two things are bad about that in a ransomware case. One, the software that the bad guy's using is really good at encrypting your files. It's not entirely stable though. And so if you reboot when it's still running or something like that,

you're probably not getting any of your data back ever. No matter if you buy the key or not, that data is gone. The other problem is there are key forensic items in memory that are erased every time you reboot that the forensic people need. And so I think I'm okay with people unplugging cables, like network cables. I'm not okay with them shutting things off. And that's, we've seen a lot of mistakes with that as well.

Martin Hinton (36:39)
That's really interesting. You see that panic like pull the power plug out again the movies they don't get it all right You've told me this before um one of the things you touched up one of the things you touched on earlier and I guess it always harkens back to sort of my military history days is sort of the Wargaming or tabletop exercising if you're at a large company and you want to practice having a Cyberware incident and it should probably begin with a 2 a.m. Call on a Saturday night to the CEO saying we've got a problem

Kurtis Minder (36:45)
Right.

Martin Hinton (37:08)
You we can't get into any of our systems. ⁓ I mean, again, back to preparing us. We practice like you're going to play and all these phrases you hear out of sports and, you know, know, military planning, no plan survives contact. So you have to have sort of an adaptability and malleability with best practices in place. How important is that part of it? And because that's one of those things I can imagine feeling like that's no company retreat. That's a whole other day of work where you get it. You have to.

You have whole ideas to be consumed by this problem in practice so that when it consumes you in real life, you have some sense of all the things that are going to go wrong. we can't get the general counsel because they're on a plane right now and that sort of thing.

Kurtis Minder (37:52)
Right. Yeah, there's and also there's two different levels of these sort of we call them tabletop exercises. Like you mentioned, there's a technical one. And I think a lot of companies think that that's the only one they need to do. And honestly, that one, I'm a little bit biased, but I think that one is less important than the executive one. the executive level tabletop is who decides who talks to whom? Like if the media is calling.

⁓ What do we do about HR if the bad guys are using call centers to call our employees and scare them? Which is a thing they do, right? Like ⁓ just all of those big executive level decisions, you don't want to make them in a vacuum as they're happening. You want to pre-understand like what the potential use cases are and agree to how you're going to respond well in advance of the actual incident. And so those executive level tabletops are super, super important. ⁓ On the non-technical side, the biggest mistakes we see made are almost always along the lines of communication.

either communication to business partners, communication to the employees, communication to the outside world, ⁓ media, et cetera. Those are the most expensive mistakes I've seen folks make. And those tabletops help you work through those scenarios, come to an agreement as an executive team as to if we're in this scenario, this is how we're going to handle it. And here's who's responsible for doing those components, et cetera. Super, super important.

Martin Hinton (39:13)
Could you give me, you know, anonymize an example of a mistake in that space or a scenario that's more detailed?

Kurtis Minder (39:20)
Sure. Yeah,

sure. Well, I've seen it so many times in different variations. It's hard to pick one, but I think, so first of all, keep in mind, eventually this case is going to end and you're going to want to get back to business, right? You're going to need a tremendous amount of goodwill from your community. And that's all of your community, your staff, you know, from a morale perspective, your business partners.

you know, everybody's going to eventually know something, you're probably going to have to report it. So it's going to be public. you know, the, believe the quickest way for you to ruin that goodwill is to make them feel like you intentionally misled them during the incident itself. And so we've seen cases where, ⁓ I mean, I worked the case where the ISO even previewed the communication they were going to send out to the, to the media.

and the victim clients ⁓ because they were a service provider, a bunch of their clients were affected. And he goes, hey, let me know what you think of this. And I said, well, aside from the fact that it's patently false, I think it's really well written. So I mean, I knew where that was going and it ended up in a pretty nasty class action lawsuit, right? And so those kinds of things happen all the time. There was a case with a hospital chain where the hospital

Martin Hinton (40:31)
you

Kurtis Minder (40:45)
IT staff ⁓ were kept in the dark about what was actually happening. Now they're the people who like, they need their help, but they're not telling, they will not admit to them that they're under a ransomware attack. And the IT staff eventually revolted and ended up talking to the media about this. And it blew up, right? It blew up in their face and it cost them a lot of money. so it's, the communication part is just critical, you know? And part of it's a company culture thing too.

If you run your business on values and those values include, know, transparency, honesty, you know, things like that, this is a pretty good time to practice those values.

Martin Hinton (41:24)
It's interesting and again, I think it comes back to how we began talking about the human element of all this, that the communication part of it is one of the things that can trip you up in the sort of incident response element. And ⁓ again, I think that, you know, in crisis communications, which I know a little bit about that idea that you don't have a plan, you don't have a protocol for, you no one speaks to the media. Everything has to come through a single point so that...

You know, there's at least one choke point for things that we do or whatever it might be, however you want to organize it. ⁓ It is surprising to me to, well, it's not surprising. That's overstating it, but it's one of those things where it seems like one of those things that's so easy to overlook, I guess, is what I'm getting at. ⁓ so it's not surprised, but it's shucks. mean, that, you know, it's not the first time that you hear stories about people being unprepared for when the train comes off the tracks.

Right. What do you do? How do you respond to the thing? You know, I mean, I guess. ⁓ Now, before we move on, there's a couple of things I want to cover. Can you can you take me through sort of a, you know, a ransomware negotiation or give me a couple of anecdotes about about whether it's a funny thing or a roll your eyes kind of moment or, you know, like tell me a couple of tales.

Kurtis Minder (42:20)
Right. Right.

sure. Again, there's like so many to choose from. It's hard to pick a particular one. mean, so first of all, some of the threat actors actually perpetrate as if they're a business and they're functioning like a business like we talked about earlier. So they actually perpetrate, they actually personify that in the messages. They refer to the service they provided and getting paid for the service that they provided. And they provide tech support when they give you the code and things like that.

And those same groups have relegated, many of them have relegated to almost like fake legalese when you get to the end of the negotiation. So you're saying, okay, we've come to a number that we both agree on. And this is what you're going to do for the number. you like, there's a bunch of bullets that we give and just, I'll just tell you someone. So obviously we're asking them for the decrypter. ⁓ And we specify that it will decrypt all files, right? And we tell them they're going to delete the data and provide some log and or video of that.

deletion, that they're not going to attack us again, that they won't, if we're on the same site, they remove us from the same site, that they're not going to to ⁓ sell our information to other threat. It's just like a long list. We're trying to get as much for our money as we can. And those those groups, of course, agree to all this, but they come back with this almost fake legal document that they put it and still just in the chat. It's not even a legal document. Whereas like, whereas party a will blah, blah, Like they literally it's like they watch too many like

you know, law TV shows or something. It's that that's I think that's funny. And then I have to be like, Kurtis McGree, you know, like, or whatever. To their legal document, which has no enforcement whatsoever. ⁓ But it is funny. And then the tech support part is true. They if you do have problems, it's not the same people you negotiate with, they'll turn you over to another chat group.

Martin Hinton (44:26)
Yeah.

Kurtis Minder (44:35)
Sometimes it's in a different platform like Telegram or something like that where they will help you with the software if you have issues with it and stuff like that. So they do actually provide technical support. And there have been cases where we've applied some level of ⁓ projected empathy to get them to lower the number for the victim. we, for example, we got one group to basically, they were started at 2 million and we got them to.

They call it their cost of goods, which also refers to the fact that they're running a business, but they said their cost of goods for the attack was a cancer charity. Their cost of good for the attack was 5,000. And so we, we settled on 5,000 so they can recoup their costs of the attack. which by the way, those are largely because they've bought that from something called an initial access broker, which is a, basically a bad guy who hacks into a company and then sells that access to other bad guys. So they probably that.

that cancer charity is probably hacked by an initial access broker. He listed it on a dark web marketplace for $5,000. The ransomware guys bought it, deployed the ransomware, and then we paid them the $5,000 to recoup their costs instead of the $2 million they originally asked for. So we've had cases like that as well. It's very strange.

Martin Hinton (45:49)
You touched on something that I don't think that think that people might be surprised to hear What's the scale from like the high to the low for the amount that's paid in rent?

Kurtis Minder (45:57)
It's massive. mean, and if you go back to the groups function like a business, some of them have different go to market strategies than others, right? So the go to market strategies for some of these groups is what we would call big game hunting. These are the guys that trying to break into IBM and GE, and they're really focused on a small number of very high value brands. ⁓ They're asking for tens of millions of dollars typically when they do these attacks. know, there's been cases upwards of 50 or million. ⁓

And those are based on probably business intelligence tools. say, you made X number of billions of dollars. And so, you know, this is not, this is a rounding error for you. ⁓ Then there are groups who are more like a spray and pray or sort of a opportunistic in nature. And they're, they're, they're doing a volume play. So they asked for, they attack more victims, but they asked for smaller amounts in the tens of thousands. You know, I don't see many below a hundred thousand anymore, but most of them, you know, are

are just kind of opportunistic in nature. They're not targeting specific companies.

Martin Hinton (47:01)
I had a guest on, a journalist out of the UK, named Danny Palmer, fascinating guy. He's been covering cyber security for, I guess almost 15 years now. And his first story was about a local council in England that was ransomware and the ransom was 500 pounds. so they said, me about how far we've come. Yeah, exactly. Yeah. Exactly. Hold on. Where do I meet you?

Kurtis Minder (47:23)
my gosh. Yeah, that's like in the petty cash drawer, right?

Right.

Martin Hinton (47:32)
One of the things that you see now and it's popped up at the place I've seen it more sort of talked about in a more coherent way is the banning of ransomware. And I've heard all kinds of arguments for and all kinds of arguments against and it varies from sector to sector. Do you have any thoughts or ⁓ ideas about that, what it might do?

Kurtis Minder (47:40)
Mm.

man, do I. man, do I.

Martin Hinton (47:52)
Go on then.

Kurtis Minder (47:53)
Yeah. So this is something I, you know, I've, I've briefed a couple of committees in Congress on this. I've been trying to raise this flag again recently, because I do believe this is a, both a national security issue, a significant drain on our economy. However, and also it is unethical. And that's something we talked about before we started recording about, you know, if we're paying a ransom and that ransom money is used to harm human beings, probably shouldn't do it.

Problem is that a lot of these companies don't have a choice. So for every brand name company we hear about in the news, thousands of small businesses are hit every day and they're either going to go out of business or pay the ransom. If your goal from banning ransoms or making it illegal was to reduce the number of ransoms paid, I don't think you'd actually achieve that because keep in mind, this happens over cryptocurrency and dark web.

You're just not going to hear about it. They're going to pay it because they don't have another choice. They've got two options. You know, I have been campaigning for, you know, the creation of a third option. I think there's a pretty easy ROI that you could calculate, return on investment. could calculate from a federal perspective and given that it's a national security issue as well, that we, that we really put some teeth behind our prevention and response programs and help some of these companies recover and give them a third option.

⁓ I don't think banning it's going to solve it.

Martin Hinton (49:21)
I mean, is that almost like some sort of quasi like public backstop, like a governmental type of, know, like you get the weight of America behind you? Yeah. I mean, that's what you mean. I mean,

Kurtis Minder (49:28)
Yeah, and I mean, that

could be run through something like CISA. know, CISA never really had any teeth, ⁓ you know, was largely like an advisory service. But I think that organization could be equipped to do that kind of work ⁓ if Congress could get behind it.

Martin Hinton (49:43)
I mean, you touch on, I wrote a piece up earlier today. It was a white paper report Zurich and a few other groups about the, their argument was we needed a common language basically for the cyber metrics and that sort of thing so that we could measure things with the same words. And it just struck me and I wrote it in the piece. said, you know, we don't even, we don't even have a common language where cybersecurity and cyber security are either one or two words. Like some people use it as two words, some people use one word and that's how far we are.

Kurtis Minder (50:10)
Right.

Martin Hinton (50:13)
given the lack of reporting and the of, you know, the invisible parts of this to your point about the thousands of companies that get ransomware and they just sort of pay it and move on like, ⁓ that sucks. Let's just get on with our day. And I think that's one of the issues in the cyber, and with underwriting cyber insurance and the level of risk versus the level of insurance that exists that it's hard to know about this because so little of it is public. And again, I think that's part of sort of moving into the next section where we talk about, you know,

Kurtis Minder (50:25)
Right.

Right.

Martin Hinton (50:43)
as individuals or as a society or as a population, we have a responsibility in the cyber sense, not unlike we have a responsibility to drive appropriately on the road and to not drive like lunatics. There needs to be some sort of national standard for cyber insurance, excuse me, for our behavior in the cyber world to create cyber resiliance, not unlike there was standardized things like car safety and speed limits that brought road traffic deaths down in America, right? Those things save lives.

Kurtis Minder (50:53)
Right.

Martin Hinton (51:11)
seat belts, airbags, whatever it might be. And I was wondering if you could touch on that bigger idea, that sort of societal idea. Because one of the things that I've said, and I'm a big history buff, so I always use this, one of the analogies I use is that I feel like as far as, I mean, I'm 54, so I wrote checks and used stamps to pay my first rent. And I remember dial-up coming into my home in the 90s and that sort of thing. We are at the very beginning of technology.

Kurtis Minder (51:26)
Thank

Martin Hinton (51:40)
not unlike we might have been at the beginning of the industrial age. And I feel like we're almost in the Model T Ford days of this from a historical point of view, where we've got a car and it's unbelievable, it's revolutionary, and no one's ever seen anything like it. But give it 50 years and you won't have any, it's going to amaze you what exists with regard to this space. And part of that and part of creating resilience around there, given the fact that people are always going to try and steal things from where we put them. And we put everything we value into digital spaces now, well, not everything, but the enormous number of things.

Kurtis Minder (51:51)
Right.

Martin Hinton (52:10)
that we need to ingrain at a very early age a digital version of look both ways when you cross the street, if you will. And I wonder what you think about that from a grade school level and, you know, ⁓ societal level.

Kurtis Minder (52:23)
Yeah. Well, first I want to, you know, go back to the beginning of your question where you're using the metaphor of like seat belts and airbags and things like that. I think it still fascinates me that most of the cyber vulnerabilities are in the software that we're using. I didn't write the software. Software vendor did. They didn't put the seat belts on there.

Nobody's making them put to sleep. Nobody's holding them accountable for that. And I think that's an issue, right? It's like, I have to use this stuff to function in the real world. Look, I'm a technology guy for 30 years. I have no idea how my iPhone works. No clue. It's an appliance, right? I'm trusting these guys built it correctly so that people can't just get in there, right? And so that's an issue, I think. Part of it, there's two parts. And then the other part is to what you said, like there are some best...

practices and to me, I think the word hygiene is pretty good because it's like we we understand we got to wash our hands. You got to brush your teeth. You know, there's some basic things so we don't get sick and we don't you know, and we don't smell bad or whatever. So I think those those those simple things. ⁓ Yeah, I think we need to teach those early and often and make them part of the habit of your daily life. And some of it's really simple stuff like, you know, when I give a talk, sometimes I'll talk about the cyber hygiene stuff. I'll say, hey,

You know that box that pops up when you're playing words with friends or word or whatever, and it says that you need to update your phone. Stop playing the game and update your phone. Your software provider has made a mistake that they're trying to fix. And if you keep ignoring it, it's going to be a problem for you. And that's, that's, I think everybody has a responsibility there. Yeah.

Martin Hinton (54:00)
What?

So I haven't finished it yet, but I've started to hobble together some words for an op-ed on our site that the bug fix is the most understated phrase in the world. ⁓ doesn't, know, bug fix, you know, like, cause that's what you see, right? Bug fixes and other stuff, you know, you know, but, but I mean, you make a really good point because you get the OS update and then the apps need to be updated and that's just your iPhone. And, know, it is.

Kurtis Minder (54:20)
Right.

Right, right.

Martin Hinton (54:35)
Again, I think I said this recently on one of our podcasts. is updating your software on whatever devices you're using is one of the biggest things you can do to take advantage of the help that's coming from outside from the, you know, the providers of the software we use. ⁓ and it is, again, it's so easy to ignore, you know, I mean, I, maybe I'm wrong, but it feels to me like with OS. Yeah.

Kurtis Minder (54:54)
Yep, get it. I get it. It's disruptive, right? But, you know, to

have to stop whatever you're doing and do this, it can be disruptive. But do you know what's more disruptive? Ransomware. ⁓ So click the update button.

Martin Hinton (55:06)
Yes, I do. I feel like

maybe I'm maybe I'm just noticing it more because it's frequency syndrome because I've been at this work for a couple of years now. But I feel like Apple now when they release an OS update, if there's media or publicity around it being quote unquote, maybe an urgent security update to try and, you know, trigger people to make the choice to do it with more expedience. I don't know if that's true or not. Maybe if I can find anything about that, I'll throw it at them. Yeah.

Kurtis Minder (55:28)
Yep. Yep.

I would buy that. Yeah.

Martin Hinton (55:37)
Because it is important. think, like you said, most of us don't have any idea how this exists. And the joke I make, and I made it earlier, is that none of this would exist if I were the only one left. But we all use it every day. But I don't understand how my carburetor works. I don't understand how. I mean, I barely understand how the lock on my door works. I mean, I get it. But you only care when it doesn't work. And I think, again, trying to make it more like everything else in our lives, because it is all over our lives. And we basically have these attached to ourselves now. And that's only going to increase.

Kurtis Minder (55:50)
Right.

Right.

Right.

Martin Hinton (56:06)
That's not going to change. this part of it all, I mean, the security always lags, right? We always delay, we put off things until, mean, we, you know, mean, our language is replete, right? You don't close the barn door until the horse gets away or whatever it might be and that kind of stuff. yeah. I want to pivot now as we sort of move towards our close. One of the pieces you have, and this gets to something that I'm a big proponent of, is the idea that...

Kurtis Minder (56:20)
Right, right.

Martin Hinton (56:32)
We are in and I can't remember the exact title, so let me pull it up here and I will read it. Bear with me.

⁓ it is basically, are we losing a war? We didn't know we were fighting. And the first line is world war three started years ago and you wrote that in 2023. So tell me what you mean by, by that piece and what you got in there.

Kurtis Minder (56:54)
Yeah.

Well, it's fairly complex and I could talk for an hour on this topic alone. So I'll try to distill it down to the basics. So our opponents, our geopolitical opponents, whether it's China, Russia, Iran, North Korea, let's just pick on them for a minute. Their strategy for disrupting our way of life and getting the upper hand is a complex and clever one. And I don't think we give them enough credit. So for example,

Russia has a, the way you translate cyber war in Russia, it translates to, they don't even have like the same concept as we have a cyber war. So when you think of cyber war, Martin, you think of like cyber offensive ⁓ activities toward an opponent's systems, right? You think of it kind of in this almost narrow, like that's what we're doing. We're going to attack their systems. That's not how they think about it. They, they, the way they translate it, and I forget the Russian word, forgive me, I sometimes can recite it, but today's not the day. So, ⁓

But it basically translates into a broader definition of information warfare. And information warfare isn't just technical. ⁓ For them, that is disinformation. is, the whole concept behind this Russian information warfare is you confuse and disrupt the enemy in a non-obvious way. You steal their resources. You create distrust within their network, all of these things. And you do it in a way that they don't know what's happening.

That's what ransomware is. Ransomware is a bunch of basically, know, organizations inside Russia with impunity, attacking Western targets, disrupting our way of life, hurting our operations, people losing their jobs, and then taking our money and using it for the things that they want on that side of the ocean. China does it for intellectual property. Iran does it to fund their nuclear program. You know, so they're all literally waging an act of war on us. And we're like, it's just hackers. No, it's not.

It is deliberate and it's been deliberate for a decade and from a policy perspective, we are not taking it seriously enough.

Martin Hinton (59:07)
You know what, it reminds me of the phrase of a death by a thousand cuts or sort of a low grade fever. I mentioned when I chatted with you earlier that I had done military history documentaries and I worked on a TV show for the History Channel a couple of years ago. And one of my business partners is a POW/MIA sort of aficionado, particularly from the Korean conflict. And one of the things we know that Americans who were taken prisoner during the war and then were interrogated by say,

Kurtis Minder (59:12)
100%.

Wow.

Martin Hinton (59:35)
Russians or KGB officers, when they were back, they were encouraged to become Manchurian candidates. Now the movie takes it to the person becomes president and they're actually, you know, like, you know, a Russian agent or whatever it is. But in actuality, the sorts of things they would be encouraged to do were much like what you're describing. would be, listen, when you move home, we want you to get your back job back at the factory. But when you have the union meeting, we want you to rabble rouse and we want you to talk about being more socialist.

Kurtis Minder (59:47)
Right.

Martin Hinton (1:00:05)
We don't want you to run for mayor and try and introduce socialism. We just want you to disrupt the everyday events that go on within your labor union to so discontent and to upset people and make people kind of agitated. And fast forward to now, in a digital sense, it's exactly the playbook. And this is, know, there's lots of great books about the KGB and this sort of thing that they did through the Cold War and that sort of stuff. But that idea that they're playing a goal, excuse me, they're playing a game with a

Kurtis Minder (1:00:22)
100%.

Martin Hinton (1:00:35)
profoundly large goal and we're looking at it like pesky little kids in a basement hacking Marks Spencer's, right?

Kurtis Minder (1:00:43)
Right. Right. That's that's exactly right. And I mean, like you said, this isn't new. These tactics aren't revolutionary. They've been doing this for a half or more a century, maybe 70 plus years. They've been doing this very successfully on the national stage. And it hasn't, you know, long before the Internet, they were doing disinformation campaigns and things like that. So they they know what they're doing. And we know that they know that.

Martin Hinton (1:00:45)
Yeah.

Kurtis Minder (1:01:08)
and we still don't apply it here and I don't understand. It's very frustrating.

Martin Hinton (1:01:13)
Do you

think, mean, it is. I mean, do you think that there is a need for something not unlike how we sort of stopped acid rain or atmospheric nuclear testing? Among the countries you can get to come to the table to agree not to do this, to help put it out there that A, it's a huge problem for nations around the world, and B, it's not good for the globe in general. that kind of, because there's no geography with these sorts of crimes.

you anywhere you have the internet, you can do this. I'm just curious what you think is a step towards some sort of, you know, broader global solution to this problem. Because it is a global problem.

Kurtis Minder (1:01:53)
So I'm not

an expert in this, but Andy Greenberg and his book, Sandworm, if you've ever read that book, but it's pretty awesome. So if you might remember in Sandworm, they tried to do that at the UN Security Council. And the country that motioned for it was Russia. And the only country that refused to sign on was the United States. so it was almost like we're like, we want to wage cyber war, so we're not going to sign this thing. Well, we kind of screwed ourselves.

because we're losing. ⁓ And so I don't know why we did that. ⁓ I think that this has been attempted. This sort of agreed, hey, we're not going to do this to each other. And we're going to agree as a globe not to do this to each other. And the United States was the linchpin that kind of said, we're not going to participate. We want the right to do this to the southern countries.

Martin Hinton (1:02:48)
Be careful what you wish for, guess, the moral of that story. So we've been chatting about an hour or so. So I want to let you get back to your day. And I know you've got to get yourself home. Is there anything we've touched on that you want to say a little more about? Or is there anything we didn't get to that we discussed in some of our pre-conversations that you want to say a little bit about?

Kurtis Minder (1:02:50)
Right. Right.

Yeah, I think just I'll touch on the ransomware response business. think just for a second, considering that as a specific discipline and not something that you want to do flippantly, like find someone who's got some experience in it. I think what was unique about how we came into that business is we were a cyber espionage company. We were already spying on bad guys. Our team spoke 20 languages. We partnered with some of the top negotiators in the world, you know, and we built a real scientific program around it.

There's not very many firms that do this, but there's a reason for that. It's not trivial. It's quite an investment. That's number one. Number two is, I think we did sort of beat the proverbial horse, but I want to say it again that everything's connected. There's a talk I do called, ⁓ it's called the digital butterfly effect. It's one of my favorite talks. And if you're familiar with the chaos theory of the butterfly flaps, its wings, one part of the world, and it affects some major thing like a ⁓ tornado or something in the cyclone. ⁓

The concept is, that, you know, by the way, the subtitle of this talk is from the dry cleaners to the dib. The dib is the defense industrial base, right? And I think too often, whether we're a small business or individual, we think I'm not important. So if the bad guys attack me, I'm not that important. Yes, you are. Because it's all connected. And so in that talk, I draw a very quantitative line between a cyber attack against a dry cleaner and a national security incident. And

So that just is to go back to our conversation about personal, you know, sort of responsibility and civil responsibility around cyber hygiene. Don't just do it for yourself. Do it for everyone else. And so if we all, yeah.

Martin Hinton (1:04:53)
Yeah, I mean, you know, there's...

No, I was going to say, know, six degrees of separation is the wrong phrasing here, right? It's more like 10 million degrees of connection, right? There is no, and you hear this from companies, when CEOs give their talk before parliament about the cyber attack they suffered, it's almost like they've realized it for the first time. They've got 50,000 employees and any one of them could be the entry point for someone to get inside the company. know, and then it's almost like, didn't you think about that before? And to the points we've made throughout this,

Kurtis Minder (1:05:03)
Right.

Right.

Martin Hinton (1:05:23)
Tons of them didn't, or it wasn't high on their concern list or their radar or whatever it might be, again is something that gets taken advantage of. ⁓ Anything else you want to touch on?

Kurtis Minder (1:05:34)
Nope, just buy my book. Cyber Recon. ⁓

Martin Hinton (1:05:38)
So

Kurtis, thank you so very much. ⁓ That book is Cyber Recon. There is a link in the show notes, wherever you might be listening to or watching this. And I think it takes you to Amazon, or maybe it's Barnes and Noble, or maybe I click both. I'll have to let myself know when I actually do it. Kurtis, thank you so much for the time. I think you and I could probably talk about this in a ⁓ variety of ways for a long, time. And hopefully we'll have you back on to talk about something specific or an event in the news.

But for now, again, thank you so very much. To all of you listening and watching, I'm Martin, thank you again. To all of you listening and watching, I'm Martin Hinton, Executive Editor of Cyber Insurance News. Thank you so much. Please like, subscribe, leave a comment. If there's a question I can't answer, I'll get it to Kurtis. And again, thank you so much for watching. Really, really do appreciate it. Enjoy the rest of your day, wherever it might be.

Kurtis Minder (1:06:09)
That'd be great. Thank you, Martin.